Skip to content
Microsoft Exchange: analysing the geopolitics

Blog post -

Microsoft Exchange: analysing the geopolitics

Earlier this year, a major cyber-attack targeted Microsoft Exchange servers, affecting an estimate of 30,000 organisations around the world and enabling large-scale espionage against a range of targets.

This week, the UK, US and EU have all accused China of carrying out the attack, indicating that China’s tactics have evolved to include ‘smash-and-grab’ raids by sharing information about the Exchange vulnerabilities and recruiting contract hackers.

In this article, Christo Butcher, global lead for threat intelligence at NCC Group, outlines the motivations behind the attack and analyses the significance of the UK, US and EU’s public accusation.

“Early evidence of this attack can be traced back to January of this year, highlighting the methods employed by Hafnium, the first threat actor shown to have exploited the Exchange vulnerabilities. These initial attacks can be broken down into two parts. Firstly, the attacker would target the server to read the victim's emails, before seeking to install implants and webshells onto a target network to potentially gain remote access.”

“However, from the end of February, we saw a frenzy of indiscriminate attacks from a wider range of threat actors hoping to exploit these vulnerabilities. That shift in activity is in line with the recent UK, US and EU allegations of China sharing information on the Exchange vulnerabilities and recruiting contract hackers.”

“Although many organisations will have patched the vulnerability by now, the escalating tactics that the UK, EU and US have accused China of using as part of the attack should serve as a useful reminder to implement strong cyber hygiene across their organisation. This includes installing the latest updates from Microsoft and other suppliers as soon as possible, as well as investigating systems for any indicators of compromise such as webshells, suspicious files and new scripts. If any indicators of compromise are identified within a system, the next step is to begin the incident response process and take steps to secure any affected machines.”

“The UK, US and EU’s announcement will increase the pressure on China within the geopolitical landscape by bringing the discussion into the public and political domains. It is also significant that the Western authorities have explicitly noted China’ use of contract hackers to carry out state-level attacks. This shift includes those contract hackers exploiting vulnerabilities for personal and financial gain as well as state-level benefits. It also highlights the increasingly blurred line between state and other threat actors, as well as between their respective motivations. Given that evolving threat landscape, organisations should maintain a comprehensive security posture that is not limited to a narrow type of threat.”




Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO Financial Results Media Enquiries +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400
Regional Press Office - Europe

Regional Press Office - Europe

Press contact +31 20 794 4737

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom